Information Security &

Risk Management

Presented by

Mohammad Ashfaqur RahmanCompliance Professional

www.linkedin.com/in/ashfaqsaphal

ashfaq.saphal@gmail.com

Objective

● Common method and types of attack● Layered Approach● Security Objective● Responsibilities● Risk Management

Common Cyber Attack

● Malware– code with malicious intent that typically steals

data or destroys something on the computer– introduced to a system through

• email attachments• software downloads or • operating system vulnerabilities

Common Cyber Attack

● Malware– code with malicious intent that typically steals

data or destroys something on the computer– Viruses : make a computer "sick"– Spyware : monitors or spies on its victims– Worms : fulfill a nefarious

Common Cyber Attack

● Malware Infection Techniques– Phishing – Spear phishing – Drive by Download– Fake Anti-Virus Software– Ransomware– Drive by Email– Web Inject

Common Cyber Attack

● Phishing– Social engineering + widespread email

Common Cyber Attack● Drive by Download

– unintentional download of malicious software

Common Cyber Attack● Fake Antivirus

– Alarming user with false infection warning

Common Cyber Attack● Ransomware

– Encrypt your computer data and ask you to pay money

Common Cyber Attack● Drive-by Email

– Open email or view email preview screen

Common Cyber Attack● DOS attack

– a denial-of-service (DoS) attack is an attempt to– make a machine or network resource unavailable

to its intended user● DDOS attack

– attack source is more than one–and often thousands of-unique IP addresses.

DoS and DDoS

Layered Approach● Also known as “defense-in-depth approach”● implement different layers of protection● spectrums can range from the

– programming code– the protocols that are being used– the operating system, and the application

configurations– through to user activity– the security program

Layered Approach● Example : protecting file agent

– Configure application, file, and Registry access control lists (ACLs)

– Configure the system default user rights– Consider the physical security of the environment– Place users into groups policy as required– A strict logon credential policy– Removal of shared ID– Implement monitoring and auditing of file access– Actions to identify any suspicious activity.

Security Objectives - CIA● Confidentiality : “Preserving authorized restriction on

information access and disclosure, including means for protecting personal privacy and proprietary information.” (44 USC Sec. 3542)

● Integrity : “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” (44 USC Sec. 3542)

● Availability : “Ensuring timely and reliable access and use of information.” (44 USC Sec. 3542)

Security Objectives - CIA

Confidentiality

IntegrityAvailability

Information Security

Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information

Ensuring timely and reliable access to and use of information.

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;

Security Objectives - CIA

The Best Practices● Confidentiality● Integrity● Availability● Need-to-know● Least privilege● Separation of duties● Job rotation ● Mandatory vacation

Security Control Points● Operational and Physical Controls.

– Operational Security (Execution of Policies, Standards & Process, Education & Awareness)

• Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc

Security Control Points● Operational and Physical Controls.

– Physical Security (Facility or Infrastructure Protection)

• Locks, Doors, Walls, Fence, Curtain, etc.• Service Providers: FSO, Guards, Dogs

Security Control Points● Technical (Logical) Controls.

– Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation.

• Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk.

Threat, Risk, and Countermeasure

Threat Agent An entity that may act on a vulnerability.

Threat Any potential danger to information life cycle.

Vulnerability A weakness or flaw that may provide an opportunity to a threat agent.

Risk The likelihood of a threat agent exploits a discovered vulnerability.

Exposure An instance of being compromised by a threat agent.

Countermeasure /safeguard

An administrative, operational, or logical mitigation against potential risk(s).

Threat, Risk, and Countermeasure

Information Security Implementation

Security System Development Life Cycle

● The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project

● Identification of specific threats and creating controls to counter them

● SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

Security System Development Life Cycle

SSDLC - Investigation

● Identifies process, outcomes, goals, and constraints of the project

● Begins with enterprise information security policy● Organizational feasibility analysis is performed

SSDLC - Analysis

● Documents from investigation phase are studied● Analyzes existing security policies or programs, along

with documented current threats and associated controls● Includes analysis of relevant legal issues that could

impact design of the security solution ● The risk management task begins

SSDLC - Logical Design

● Creates and develops blueprints for information security● Incident response actions planned:

– Continuity planning– Incident response– Disaster recovery

● Feasibility analysis to determine whether project should continue or be outsourced

SSDLC - Physical Design

● Needed security technology is evaluated, alternatives generated, and final design selected

● At end of phase, feasibility study determines readiness of organization for project

SSDLC - Implementation

● Security solutions are acquired, tested, implemented, and tested again

● Personnel issues evaluated; specific training and education programs conducted

● Entire tested package is presented to management for final approval

SSDLC - Maintenance and Change

● Perhaps the most important phase, given the ever-changing threat environment

● Often, reparation and restoration of information is a constant duel with an unseen adversary

● Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve

Security Professionals

● Wide range of professionals required to support a diverse information security program

● Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program

Information Security Project Team

● A number of individuals who are experienced in one or more facets of technical and non-technical areas:

– SME– Team leader– Security policy developers– Risk assessment specialists– Security professionals – Systems administrators– End users

Additional Information : Data Ownership

● Data Owner– responsible for the security and use of a particular

set of information● Data Custodian

– responsible for storage, maintenance, and protection of information

● Data Users– end users who work with information to perform

their daily jobs supporting the mission of the organization

It is your turn again

The Final Word